Man
Professional
- Messages
- 2,965
- Reaction score
- 488
- Points
- 83
Last October, cybercriminals managed to infect hundreds of thousands of Android and iOS devices using a botnet dubbed PEACHPIT. Their goal was to make money illegally by clicking on ads.
The PEACHPIT botnet is part of a larger operation by Chinese hackers codenamed BADBOX. The group also sells unbranded mobile and CTV devices with Triada malware on popular online stores and reseller sites.
The devices were reportedly infected via 39 apps containing the malware code, with a total of over 15 million downloads. We previously wrote about malicious apps found on Google Play and the App Store, with 2 million installations.
Devices loaded with the BADBOX malware allowed botnet operators to steal sensitive user data, create local proxy exit nodes, and commit ad fraud through fake apps.
It is currently unknown how the Android devices were infected. According to experts, it is most likely that Chinese manufacturers supplied devices to countries with a built-in backdoor.
The first record of a new botnet targeting ad fraud was published in a report by Trend Micro in May 2023. At the time, they attributed its activity to the Lemon Group cybercriminal group they were tracking.
Human experts were able to identify about 200 different types of Android devices, including smartphones, tablets and CTVs, which showed signs of infection with the Badbox malware, indicating the widespread distribution of malware. It is noteworthy that applications designed to click on ads were freely available in the Apple App Store and Google Play Store.
Experts found that Android apps had a module responsible for creating hidden WebView components that sent requests in the background and displayed web pages with ads for subsequent clicking. In addition, they masked ad requests - supposedly they came from official apps. This method was already known - another cyber group had previously used it to distribute and carry out attacks of the VASTFLUX botnet.
At the time of the attack by cybersecurity specialists Human, Google and other companies on the central C2 servers of the botnet, including BADBOX, they had already been disabled by the attackers. Moreover, the cybercriminals launched an update of the malware that removed the modules that powered the PEACHPIT botnet. At the same time, experts assumed that the hackers were adjusting their tactics in an attempt to bypass the blocking systems.
According to numerous reports from Doctor Web and Check Point, pre-installed malware on Android devices is not a new phenomenon, dating back to at least 2016, and was mainly distributed through cheap smartphones and tablets.
And we remind you of the importance of installing antivirus programs on your devices. Up-to-date database updates will help prevent your device from being infected with malware.
The PEACHPIT botnet is part of a larger operation by Chinese hackers codenamed BADBOX. The group also sells unbranded mobile and CTV devices with Triada malware on popular online stores and reseller sites.
The devices were reportedly infected via 39 apps containing the malware code, with a total of over 15 million downloads. We previously wrote about malicious apps found on Google Play and the App Store, with 2 million installations.
Devices loaded with the BADBOX malware allowed botnet operators to steal sensitive user data, create local proxy exit nodes, and commit ad fraud through fake apps.
It is currently unknown how the Android devices were infected. According to experts, it is most likely that Chinese manufacturers supplied devices to countries with a built-in backdoor.
The first record of a new botnet targeting ad fraud was published in a report by Trend Micro in May 2023. At the time, they attributed its activity to the Lemon Group cybercriminal group they were tracking.
Human experts were able to identify about 200 different types of Android devices, including smartphones, tablets and CTVs, which showed signs of infection with the Badbox malware, indicating the widespread distribution of malware. It is noteworthy that applications designed to click on ads were freely available in the Apple App Store and Google Play Store.
Experts found that Android apps had a module responsible for creating hidden WebView components that sent requests in the background and displayed web pages with ads for subsequent clicking. In addition, they masked ad requests - supposedly they came from official apps. This method was already known - another cyber group had previously used it to distribute and carry out attacks of the VASTFLUX botnet.
At the time of the attack by cybersecurity specialists Human, Google and other companies on the central C2 servers of the botnet, including BADBOX, they had already been disabled by the attackers. Moreover, the cybercriminals launched an update of the malware that removed the modules that powered the PEACHPIT botnet. At the same time, experts assumed that the hackers were adjusting their tactics in an attempt to bypass the blocking systems.
According to numerous reports from Doctor Web and Check Point, pre-installed malware on Android devices is not a new phenomenon, dating back to at least 2016, and was mainly distributed through cheap smartphones and tablets.
And we remind you of the importance of installing antivirus programs on your devices. Up-to-date database updates will help prevent your device from being infected with malware.
